You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Scott Dayberry <Sc...@wcom.com> on 2002/08/16 17:31:38 UTC
getRemoteUser() reset to null after authenticated user hits an
unauthorized page
I am using form-based authentication under Tomcat 3.2.3.
I have 3 security-constraint sections in web.xml for 3 different user roles.
If an already authenticated user selects a page to which he is not
authorized, he is redirected to the form-error-page (I thought this should
be a 403-Forbidden error instead), and his authentication is invalidated.
(A getRemoteUser() call returning null at this point verifies this).
The implication of this, is that he can no longer select any pages that he
IS authorized for, and must re-login. Is this a known bug with Tomcat 3.2.3,
expected behavior, or is there a configuration setting I am missing?
Thanks in advance,
Scott
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: getRemoteUser() reset to null after authenticated user hits an unauthorized page
Posted by Bill Barker <re...@verizon.net>.
"Craig R. McClanahan" <cr...@apache.org> wrote in message
news:20020816101549.C77623-100000@icarus.apache.org...
>
>
> On Fri, 16 Aug 2002, Scott Dayberry wrote:
>
> > Date: Fri, 16 Aug 2002 11:11:53 -0600
> > From: Scott Dayberry <Sc...@wcom.com>
> > Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> > To: 'Tomcat Users List' <to...@jakarta.apache.org>
> > Subject: RE: getRemoteUser() reset to null after authenticated user hits
> > an unauthorized page
> >
> > Thanks for your response. I was hoping it wasn't a bug in 3.2.3, but
rather
> > a configuration problem, or that a workaround existed. :*) Does this
bug
> > exist in 3.3.1?
> >
>
> I haven't got a clue ... I've never used 3.3 for anything. I'm sure
> others here can speak to that.
You've never wanted to run Tomcat under J2ME on you toaster? ;-)
getRemoteUser() works as expected under 3.3.1.
>
> > I've been reluctant to upgrade to Tomcat 4 due to potential installation
and
> > compatibility issues with Apache 1.3.X, mod_jk.so, on both Solaris 2.6
and
> > 2.8. Is this combination a clean upgrade on both OS's?
> >
>
> Likewise, you're better off asking some of the other folks who use the web
> connectors, but my impression is that it should work well for you.
As much as I hate to admit it, Craig is probably right. The Java side of
the 4.x connectors are compatible with the 3.x binary Apache modules. In
theory you can install your favorite version of 4.0.x without changing
anything on the Apache side, and install 4.1.x with only slight changes on
the Tomcat side.
>
> Craig
>
> >
> > > -----Original Message-----
> > > From: Craig R. McClanahan [mailto:craigmcc@apache.org]
> > > Sent: Friday, August 16, 2002 10:30 AM
> > > To: Tomcat Users List
> > > Subject: Re: getRemoteUser() reset to null after
> > > authenticated user hits
> > > an unauthorized page
> > >
> > >
> > >
> > >
> > > On Fri, 16 Aug 2002, Scott Dayberry wrote:
> > >
> > > > Date: Fri, 16 Aug 2002 09:31:38 -0600
> > > > From: Scott Dayberry <Sc...@wcom.com>
> > > > Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> > > > To: tomcat-user@jakarta.apache.org
> > > > Subject: getRemoteUser() reset to null after authenticated
> > > user hits an
> > > > unauthorized page
> > > >
> > > > I am using form-based authentication under Tomcat 3.2.3.
> > > >
> > > > I have 3 security-constraint sections in web.xml for 3
> > > different user roles.
> > > > If an already authenticated user selects a page to which he is not
> > > > authorized, he is redirected to the form-error-page (I
> > > thought this should
> > > > be a 403-Forbidden error instead), and his authentication
> > > is invalidated.
> > > > (A getRemoteUser() call returning null at this point verifies this).
> > > >
> > > > The implication of this, is that he can no longer select
> > > any pages that he
> > > > IS authorized for, and must re-login. Is this a known bug
> > > with Tomcat 3.2.3,
> > > > expected behavior, or is there a configuration setting I am missing?
> > > >
> > >
> > > Sounds like a bug in 3.2.3 (which is pretty ancient, by the
> > > way). I think
> > > 3.2.3 also failed to return getRemoteUser() correctly when you
> > > successfully log on, and then navigate to a URL not protected by a
> > > security constraint. Tomcat 4.0 and 4.1 handle that
> > > situation correctly.
> > >
> > > > Thanks in advance,
> > > > Scott
> > > >
> > >
> > > Craig
> > >
> > >
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > <ma...@jakarta.apache.org>
> > > > For additional commands, e-mail:
> > > <ma...@jakarta.apache.org>
> > > >
> > > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > > <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> > > <ma...@jakarta.apache.org>
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> > For additional commands, e-mail:
<ma...@jakarta.apache.org>
> >
> >
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: getRemoteUser() reset to null after authenticated user hits an
unauthorized page
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 16 Aug 2002, Scott Dayberry wrote:
> Date: Fri, 16 Aug 2002 11:11:53 -0600
> From: Scott Dayberry <Sc...@wcom.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: 'Tomcat Users List' <to...@jakarta.apache.org>
> Subject: RE: getRemoteUser() reset to null after authenticated user hits
> an unauthorized page
>
> Thanks for your response. I was hoping it wasn't a bug in 3.2.3, but rather
> a configuration problem, or that a workaround existed. :*) Does this bug
> exist in 3.3.1?
>
I haven't got a clue ... I've never used 3.3 for anything. I'm sure
others here can speak to that.
> I've been reluctant to upgrade to Tomcat 4 due to potential installation and
> compatibility issues with Apache 1.3.X, mod_jk.so, on both Solaris 2.6 and
> 2.8. Is this combination a clean upgrade on both OS's?
>
Likewise, you're better off asking some of the other folks who use the web
connectors, but my impression is that it should work well for you.
Craig
>
> > -----Original Message-----
> > From: Craig R. McClanahan [mailto:craigmcc@apache.org]
> > Sent: Friday, August 16, 2002 10:30 AM
> > To: Tomcat Users List
> > Subject: Re: getRemoteUser() reset to null after
> > authenticated user hits
> > an unauthorized page
> >
> >
> >
> >
> > On Fri, 16 Aug 2002, Scott Dayberry wrote:
> >
> > > Date: Fri, 16 Aug 2002 09:31:38 -0600
> > > From: Scott Dayberry <Sc...@wcom.com>
> > > Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> > > To: tomcat-user@jakarta.apache.org
> > > Subject: getRemoteUser() reset to null after authenticated
> > user hits an
> > > unauthorized page
> > >
> > > I am using form-based authentication under Tomcat 3.2.3.
> > >
> > > I have 3 security-constraint sections in web.xml for 3
> > different user roles.
> > > If an already authenticated user selects a page to which he is not
> > > authorized, he is redirected to the form-error-page (I
> > thought this should
> > > be a 403-Forbidden error instead), and his authentication
> > is invalidated.
> > > (A getRemoteUser() call returning null at this point verifies this).
> > >
> > > The implication of this, is that he can no longer select
> > any pages that he
> > > IS authorized for, and must re-login. Is this a known bug
> > with Tomcat 3.2.3,
> > > expected behavior, or is there a configuration setting I am missing?
> > >
> >
> > Sounds like a bug in 3.2.3 (which is pretty ancient, by the
> > way). I think
> > 3.2.3 also failed to return getRemoteUser() correctly when you
> > successfully log on, and then navigate to a URL not protected by a
> > security constraint. Tomcat 4.0 and 4.1 handle that
> > situation correctly.
> >
> > > Thanks in advance,
> > > Scott
> > >
> >
> > Craig
> >
> >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > >
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> >
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: getRemoteUser() reset to null after authenticated user hits an
unauthorized page
Posted by Scott Dayberry <Sc...@wcom.com>.
Thanks for your response. I was hoping it wasn't a bug in 3.2.3, but rather
a configuration problem, or that a workaround existed. :*) Does this bug
exist in 3.3.1?
I've been reluctant to upgrade to Tomcat 4 due to potential installation and
compatibility issues with Apache 1.3.X, mod_jk.so, on both Solaris 2.6 and
2.8. Is this combination a clean upgrade on both OS's?
> -----Original Message-----
> From: Craig R. McClanahan [mailto:craigmcc@apache.org]
> Sent: Friday, August 16, 2002 10:30 AM
> To: Tomcat Users List
> Subject: Re: getRemoteUser() reset to null after
> authenticated user hits
> an unauthorized page
>
>
>
>
> On Fri, 16 Aug 2002, Scott Dayberry wrote:
>
> > Date: Fri, 16 Aug 2002 09:31:38 -0600
> > From: Scott Dayberry <Sc...@wcom.com>
> > Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> > To: tomcat-user@jakarta.apache.org
> > Subject: getRemoteUser() reset to null after authenticated
> user hits an
> > unauthorized page
> >
> > I am using form-based authentication under Tomcat 3.2.3.
> >
> > I have 3 security-constraint sections in web.xml for 3
> different user roles.
> > If an already authenticated user selects a page to which he is not
> > authorized, he is redirected to the form-error-page (I
> thought this should
> > be a 403-Forbidden error instead), and his authentication
> is invalidated.
> > (A getRemoteUser() call returning null at this point verifies this).
> >
> > The implication of this, is that he can no longer select
> any pages that he
> > IS authorized for, and must re-login. Is this a known bug
> with Tomcat 3.2.3,
> > expected behavior, or is there a configuration setting I am missing?
> >
>
> Sounds like a bug in 3.2.3 (which is pretty ancient, by the
> way). I think
> 3.2.3 also failed to return getRemoteUser() correctly when you
> successfully log on, and then navigate to a URL not protected by a
> security constraint. Tomcat 4.0 and 4.1 handle that
> situation correctly.
>
> > Thanks in advance,
> > Scott
> >
>
> Craig
>
>
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
> >
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: getRemoteUser() reset to null after authenticated user hits an
unauthorized page
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 16 Aug 2002, Scott Dayberry wrote:
> Date: Fri, 16 Aug 2002 09:31:38 -0600
> From: Scott Dayberry <Sc...@wcom.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: getRemoteUser() reset to null after authenticated user hits an
> unauthorized page
>
> I am using form-based authentication under Tomcat 3.2.3.
>
> I have 3 security-constraint sections in web.xml for 3 different user roles.
> If an already authenticated user selects a page to which he is not
> authorized, he is redirected to the form-error-page (I thought this should
> be a 403-Forbidden error instead), and his authentication is invalidated.
> (A getRemoteUser() call returning null at this point verifies this).
>
> The implication of this, is that he can no longer select any pages that he
> IS authorized for, and must re-login. Is this a known bug with Tomcat 3.2.3,
> expected behavior, or is there a configuration setting I am missing?
>
Sounds like a bug in 3.2.3 (which is pretty ancient, by the way). I think
3.2.3 also failed to return getRemoteUser() correctly when you
successfully log on, and then navigate to a URL not protected by a
security constraint. Tomcat 4.0 and 4.1 handle that situation correctly.
> Thanks in advance,
> Scott
>
Craig
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>